Re: SQL Injection Prevention

From: Nigel Rivett (sqlnr_at_hotmail.com)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 08:39:05 -0700

It's just that your arguement doesn't seem to make sense.
If you write a bad SP it's possible to introduce injection vulnerabilities.
If you write bad app code it's possible to introduce injection
vulnerabilities.

SP's mean that you don't need t ogive the user permissions on the tables
(which incidentally means that dynamic sql is not possible so negates one of
your arguments).

You could say that parameterised client statement security depends on the
way the client code is written.

if instead of the code you gave they decide to exec the statement
conctenated with the parameter they will get back the same cusor but
introduce an injection vulnerability.

Basically it's all about writing sensible code - you can't guard against
poor developers. Trying to force them to use a standard interface will help
though. A dal which enforces parametrised queries would do that. The same as
would only giving access to stored procedures. I suspect they would have the
same effect in this area - just that SPs are easier to truobleshoot, you can
change the database structure without affecting the app and enhance security.

"Valery Pryamikov" wrote:

> Common guys, what is it with you? I'm not bashing stored procedures, not at
> all. I'm just saying that when it concerns to SQL injection, then
> parameterized DML statement is more protected than parameterized call to
> stored procedure. That's it. I don't think you can prove opposite. But that
> doesn't mean anything about good programming practices what so ever. Do you
> read subject - SQL injection which only happens due to bad programming
> practices.
>
> I'm not in any way going to fight beaten to death holy war about "are stored
> procedures better than SQL DMLs or not".
>
> -Valery.
> http://www.harper.no/valery
>
> "Nigel Rivett" <sqlnr@hotmail.com> wrote in message
> news:483195D1-E0AC-4765-8EDA-D0B76D923DED@microsoft.com...
> > You're comparing a well built parameterized sql statement against a badly
> > built stored procedure so it's obvious which will win.
> >
> > Stored procedures are easier to review and so catch bad proctices and are
> > usually the domain of people who have some experience in dealing with
> > databases.
> >
> >>> for stored procedure to return the same cursor as select, this stored
> >>> procedure has to execute the same select.
> >
> > Not true.
> >
> >>> if stored procedure implemented wrong way - ie it constructs sql by
> >>> concatenating received parameter with sql string,
> >
> > I can't believe anyone would do that - if you would consider it then I
> > suggest you stay away from databases altogether :).
> >
> > The stored procedure in your example would probably be
> >
> > create proc a
> > @key int
> > as
> > select somevalue from sometable where somekey = @key
> > go
> >
> > You need to build a case that this is more vulnerable than the apllication
> > code - bearing in mind that a person writing a stored proc is likely to
> > have
> > more database experience than the person writing the app code.
> >
> >>> in Oracle you have possibility to execute dynamic cursor from stored
> >>> procedure. Ie. you construct whatever sql string inside stored procedure
> >>> and open cursor on
> > that string. I believe it must be similar functionality in SQL server
> >
> > Your belief is very wrong (and I hope you aren't trying to use that
> > belief).
> >
> > p.s. I've have never written an explicit cursor in t-sql (except to "help"
> > others and never will).
> >
> >
> > "Valery Pryamikov" wrote:
> >
> >> Tibor,
> >> we aren't talking about good programming practices when we discuss SQL
> >> injection, aren't we :-).
> >> as long as there is possibility to screw something, we have to account
> >> for
> >> it. Therefore my statement stays that parameterized SQL actually provides
> >> better protection against SQL injection than parameterized call to stored
> >> procedure.
> >>
> >> -Valery.
> >> http://www.harper.no/valery
> >>
>
>
>

Relevant Pages

  • Re: SQL Injection Prevention
    ... If you write a bad SP it's possible to introduce injection vulnerabilities. ... I'm just saying that when it concerns to SQL injection, ... >> built stored procedure so it's obvious which will win. ...
    (microsoft.public.sqlserver.server)
  • Official release of SQL Power Injector 1.2
    ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
    (Bugtraq)
  • Official release of SQL Power Injector 1.2
    ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
    (Pen-Test)
  • Official release of SQL Power Injector 1.2
    ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
    (Security-Basics)
  • Official release of SQL Power Injector 1.1
    ... I have the pleasure to announce that a new version of SQL Power Injector is now officially available on my web site: ... For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal ... Response of the SQL injection in a customized browser ...
    (Pen-Test)